AI Security Review
scanned 2h ago · by lpm-firewall-aiRuntime HTTP(S) and WebSocket proxy endpoints accept user-supplied destinations. An adapter-status RPC can request a host-side adapter upgrade command.
Static reason
No blocking static signals were detected.
Trigger
A user or frontend client invokes `/aura/proxy`, `/proxyws`, or sends `upgradeAdapter` to the running adapter.
Impact
May enable SSRF-style access, cookie forwarding to arbitrary targets, TLS interception exposure, or privileged adapter upgrade actions if reachable by an untrusted client.
Mechanism
User-directed proxying and constrained host command dispatch.
Rationale
Source inspection finds risky runtime capabilities rather than concrete malicious behavior. Flag for warning and authorization/SSRF review; do not block publication as malware.
Evidence
package.jsonmain.jslib/webExtension.jsio-package.json
Decision evidence
public snapshotAI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
- `lib/webExtension.js` exposes `/aura/proxy` for caller-supplied HTTP(S) URLs.
- Proxy forwards client cookies and disables TLS certificate verification.
- `main.js` accepts caller-supplied WebSocket proxy targets at `/proxyws`.
- `main.js` handles `upgradeAdapter` by requesting host `cmdExec` with `upgrade <name>`.
- No authorization/origin check is visible around these runtime proxy and message handlers.
Evidence against
- `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` hook.
- No child-process, shell, eval, VM, dynamic require, or credential-file harvesting appears in package-authored source.
- Runtime persistence shown writes only adapter-scoped performance JSON.
- Network behavior is consistent with the advertised ioBroker dashboard/proxy functionality.
Behavioral surface
ChildProcessEvalFilesystemNetwork
HighEntropyStringsMinifiedObfuscatedTelemetryUrlStrings
Source & flagged code
1 flagged · loading sourcewww/assets/echarts-Cv-_nZ52.jsView file
39`+g.message)}var n=new it;n.add(a),n.isGeoSVGGraphicRoot=!0;var i=e.width,o=e.height,s=e.viewBoxRect,l=this._boundingRect;if(!l){var u=void 0,f=void 0,v=void 0,h=void 0;if(i!=null?...
L40: `+i.message)}return o8(e,n),A(n,function(i){var o=i.name;l8(e,i),f8(e,i);var s=this._specialAreas&&this._specialAreas[o];s&&i.transformTo(s.left,s.top,s.width,s.height)},this),n},r...
L41: `))}),t.join(`
Low
Eval
Package source references a known benign dynamic code generation pattern.
www/assets/echarts-Cv-_nZ52.jsView on unpkg · L39Findings
2 Medium7 Low
MediumNetwork
MediumStructural Risk Force Deep Review
LowScripts Present
LowEvalwww/assets/echarts-Cv-_nZ52.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings